Getting—and living—risk religion

E*Trade Financial had its share of challenges arising out of the financial crisis and its legislative and regulatory aftermath.

A prime financial challenge was addressing a large holding of mortgage loans that went bad. But a longer-term, regulatory challenge concerned the company’s approach to risk management. E*Trade Bank and E*Trade Savings Bank had been regulated by the Office of Thrift Supervision. The 2010 Dodd-Frank Act killed OTS and transferred banks under its authority to the Office of the Comptroller of the Currency.

Management recognized that the OCC’s regulatory regime was stricter, and that it would have to improve its game. (The transition came in 2011 and continued into 2012.) In addition, larger financial organizations have progressively been expected to adopt a more structured and rigorous risk management program. A key area that needed beefing up at E*Trade, in light of both the financial and regulatory developments, was enterprise risk management.

Risk budget soars

This has been a major company focus over the last few years, bearing such significance that it has surfaced in all recent annual letters from management. In 2013, E*Trade’s letter noted that its spending on ERM rose by $17 million in that year alone.

The company’s ERM build-out ran the gamut: setting up new internal management and board committees addressing various aspects of risk, significantly increasing the portion of employees devoted to risk management work—now 10% of the company’s employees—and tapping outside experts to help the organization get up to current practices.

This came at a time when expectations have been a moving target for banking companies. For example, in mid-2014, E*Trade fell under the newly implemented requirements that publicly traded holding companies larger than $10 billion satisfy risk committee requirements under the Fed’s enhanced prudential standards. (At the end of the first quarter, E*Trade Bank came to $44.7 billion in assets, E*Trade Savings Bank came to $1.1 billion, and the entire holding company came to $46.8 billion.)

The target has been to get the company up to a “best practices” level, according to Mike Pizzi, who became chief risk officer in early 2014, following the retirement of Paul Brandow. Brandow started the ERM rebuilding, and Pizzi succeeded him. Pizzi has been with E*Trade since 2003 and previously worked for Lehman Brothers, First Maryland Bank, and the Federal Reserve. (In mid-June, Pizzi was named chief financial officer and Brandow came back on an acting basis while the company searches for a new CRO to take over the improved ERM program that the two put together.)

While risk management issues run throughout an organization, three broad concerns governed, and continue to govern, E*Trade’s efforts, according to Pizzi: compliance and risk issues in existing regulation; weaknesses detected that require bolstering; and emerging regulatory concerns that need to be addressed.

As an example of the latter, the company will have to report the results of Dodd-Frank stress testing to the Federal Reserve in 2017. E*Trade has already been through the exercise internally, and it reported a round of stress testing to the Comptroller’s Office in 2014. This, and falling under OCC capital requirements, reflects a change for E*Trade, which is a savings and loan holding company and is now subject to Fed supervision under Dodd-Frank.

Process vs. exposures

A major focus in building up E*Trade Financial’s ERM has been establishing and maintaining discussions with regulators, says Pizzi.

He acknowledges that some bankers complain that regulators will not tell a bank what they expect, but will object when they don’t like what they see a bank doing. The implication is that effort is wasted when the bank finds it hasn’t been moving in the right direction.

But Pizzi believes frequent communication can help here.

“Yes, regulators will definitely tell you what they don’t want,” he explains. “But you can develop the right dialog with them to make sure you wind up in the right place.”

Pizzi says that many regulatory requirements focus more on risk management process—the internal machinery of risk management—rather than specific exposures. He says it is important that banks expanding their ERM efforts think broadly. Historically, banks focused on financial risks, but risk management has evolved past the traditional touch points. Now, Pizzi continues, a CRO must not only focus on credit risk, market risk, and rate risk, but also on additional exposures, such as financial model validation and operational risk.

The E*Trade board’s risk oversight committee, which is chaired by risk consultant James Lam, author of a noted work on risk management, covers much more than financial risks.

Behind each of these responsibilities lie measurement and management capabilities that the ERM build-out has required E*Trade to design and implement. All these come under the bank’s ERM committee, which is the company’s highest staff-level risk monitoring body. Setting limits in each risk area and monitoring performance against those limits is a key function.

At the company, certain specific risks come under more specialized committees, such as the operational risk and control committee, asset liability committee, credit risk committee, model risk management committee, and new products review committee.

Some of these functions are overseen by executives who serve as leads for areas like operational risk, market risk, and credit risk. Others come directly under the CRO—including reputation risk, strategic risk, and risk training and development. The latter includes the CRO’s role as overseer of efforts to inculcate risk culture throughout the organization.

Walls and shortstops

Pizzi says that E*Trade Financial now uses a “lines of defense” approach to risk management. The concept envisions rings of risk management effort surrounding the bank like multiple walls around a medieval city. Should one line fail to control a given risk, the concept goes, then additional layers stand between the company and the risk.

Clearly, according to Pizzi, “lines of business need to own their risks. It is not the job of the risk department to own their risk. It’s risk management’s job to oversee the risk.” Risk tone comes from the board down.

After the first line of defense comes staff functions that oversee specific risks—compliance and legal, for example. Pizzi says these functions, as well as his own, are expected to determine the root cause of problems.

Then there is the independent internal audit function, the final line of defense.

Pizzi says that this structural underpinning was put in place at the beginning of the company’s ERM revamp.

A key element underlying the lines of defense approach is accountability. According to Pizzi, culture goes hand in hand with that.

Shifting metaphors, baseball offers a useful view. An infielder—proxy for the first line of defense, the business unit—may miss a grounder, and the outfielder—the second line—may scoop it up and fire the ball to first base. However, the team manager isn’t going to just shrug off that missed grounder. He’s going to want to know why the infielder missed the ball.

Thus, a critical function that dovetails with the lines-of-defense approach is training—teaching staff at all levels about risk management and impressing that every player must fulfill their role, i.e. accountability. The baseball manager may decide, after enough errors, that the infielder needs to spend more time with the fielding coach.

In search of root causes

The CRO’s work goes up and down the company hierarchy. The CRO coordinates with the board risk committee and its chairman, and that includes an ongoing dialog, Pizzi says, though that communication also can be event driven when something significant arises.

On the job, the CRO’s work often involves running the overall system like a ship’s chief engineer—making sure it functions properly, and that adjustments and policy development occur as events constantly change the company’s overall picture.

But beyond the administration of the overall risk process and monitoring, what does a CRO do all day at E*Trade?

There are ongoing tasks like vendor management—a high priority with the regulators now—and evaluation of risk assessment and risk program validation.

Pizzi says the job also entails digging into events or trends that have arisen to determine root causes of problems.

“When you have an issue or event that occurs, many times, if you don’t have a risk management mindset, the response is to put a process fix in place,” Pizzi points out. This is like a doctor prescribing for a symptom, rather than for a condition or disease that causes the symptom. “If that fix doesn’t get to the root cause,” Pizzi explains, “the problem will reoccur.”

Root-cause analysis directs a bank’s efforts to the underlying problem. Pizzi illustrates this by pointing to mistakes arising from manual input error. Simply requiring a manual check to prevent that error may not actually improve the matter, he says—it’s still all human. Implementing an automated check that occurs without human interaction will help ensure that the possibility of manual error is always reviewed.

Finding the root causes and implementing remedies may range beyond the risk function, according to Pizzi. The company has procedures that the CRO and the risk team apply to a problem. The remedy may require working with the specific bank department to find the weak point in the process that produced the risk. Such issues are reported to the ERM committee at regular meetings, and results of the investigation are later reported there as well. Some matters would reside within the company alone, while others may require bringing vendors into the resolution.

In addition, Pizzi says root-cause analysis can serve a preventative role. The same process used to fix problems is applied when risk control assessments are performed.

This helps the CRO and the risk team to maintain broad awareness. “You gain an understanding of all the company’s processes across the business,” says Pizzi.

Prep for “one bad tweet”

Part of the CRO’s job is acting on issues that require immediate resolution or reaction. One such area: reputation risk.

Before there is a problem, Pizzi says, it is critical that an organization understands, at a company-wide level, “what your priorities are.” If there is zero tolerance for a particular kind of error or misbehavior, that has to be clear.

Pizzi adds that any other risk category can drive reputation risk, especially when reputation attacks can be just one nasty “tweet” away.

The key, according to Pizzi, is devising a series of action steps in advance of a publicity meltdown. Different scenarios must be considered and advance strategies devised.

And then, says Pizzi, those outlined efforts must be capable of being made live. They can’t just be a binder gathering dust on the shelf.

He explains that the ERM function grew out of the “classic” risk seats in banking—credit risk officers and market risk officers.

“Operational risk has become more front and center,” says Pizzi.

Ultimately, Pizzi sums up, risk management intertwines with customer service. If customers don’t get what they want from a financial provider, and can’t rely on the provider to get things right, then the rest of the risks banks watch don’t matter. Without the customer, there won’t be any business.